Interview with roy g biv
izee / EOF
<![CDATA[
-------------------------
|Interview with roy g biv |
|izee // EOF July 2, 2007 |
-------------------------
EOF:
We welcome you, roy g biv! First of all, many thanks for your agreement to take an interview from you for EOF issue #2.
Please make a short introduction about you, roy g biv.
rgb:
Hi there, I am roy g biv. I am a 28 years guy, from a city in a country in the world. Some things must be secret. :)
EOF:
How many years you are interested in computer viruses?
rgb:
It was 1992, so 15 years now.
EOF:
Why you decided to start writing viruses?
rgb:
There are many boring viruses so I thought to make some interesting ones.
EOF:
It would be interesting to know a story of your handle. Why you have chosen exactly "roy g biv"? What does it's means?
rgb:
Now I don't remember anymore. It is the names of the colours of the rainbow in English - Red, Orange, Yellow, Green,
Blue, Indigo, Violet. Probably I saw that when I started learning English and it sounds like a real name.
EOF:
What do you prefer to do except virus writing? What are your main hobbies and interests?
rgb:
When I am not writing viruses, I am researching techniques for writing viruses. :)
I am always thinking, trying to find something new that no-one did before. I am a machine with skin.
EOF:
Tell us about your first steps, roy g biv. What was your first virus? What was your first group in which you joined?
Who and what helped you? What feeling was, when you started to write viruses?
rgb:
I helped Prototype on his Bad Seed virus in 1992 and his Orsam virus in 1993. They were DOS viruses and I wrote some
stubs for COM and EXE files, so you could say in source what kind of file to produce. I worked on his DMA virus after he
died, made the code smaller and faster. It gave me confidence to make in 1994 my first virus alone. That was HiAnMiT.
My first group was Defjam. I joined officially in 1993.
No-one helped me to learn the coding directly, because internet was expensive so just for e-mail with Prototype
sometimes. I looked at some virus collections of friends, but I always wanted to make something that no-one ever saw
before. For that, I needed only imagination and patience to research and try things. This is still how I develop the
code today.
When I started, I felt a joy like finding something that was lost. Purpose, motivation. Hard to describe. My works are
security research but they also replicate. If eEye can make a PXE virus, then I think I'm okay, too. :)
EOF:
We saw many of your works, roy g biv, and we have to admit that they are very great and unique. It would be great if
you could list all of your works (viruses, worms, researches etc.) here. The descriptions are welcome as well. ;)
rgb:
Okay, here is the list:
Old research - in Vlad #7 was published the list of strings that could make any file never detected by Thunderbyte
TBScan. TBScan used for speed a list of exclusion strings. It means that any file that began with one of those strings
would not be scanned further and nothing reported, even if other virus strings could be seen. TBScan even had a string
for itself because otherwise it would report itself as a virus since it triggered many heuristic flags.
DOS viruses:
HiAnMiT - this was my first virus. It was a memory-resident DOS virus that infected the MBR, and COM and EXE files
without looking at the suffix. The MBR code exploited the circular partition bug in MS-DOS so user could not boot from
floppy to clean the system. Virus was full stealth in the MBR and the files, and for the memory size, too. If you wrote
to an infected file, the virus code would be removed properly and added again on close. CHKDSK reported no errors even
when the virus was active. MEM would show the original memory size as though the virus was not there. If you loaded the
file in Debug, the loaded file would be clean in memory. All that in 2086 bytes. I wrote some other modules for it
later - UMB residence, floppy boot sector infection, .SYS infection, piggybacking (defeated Invircible's anti-
piggybacking code).
FarQRSol - this was HiAnMiT with oligomorphic decryptor. In-memory image was encrypted, too, so hard to detect.
HiAnMiT Lite - this was "light" version of HiAnMiT. It did not support infection of files after create, only on open. No
debug support. This made the code smaller and less complex.
FarQRSol Lite - this was "light" version of FarQRSol, same difference for HiAnMiT Lite.
Win16 viruses:
I had ideas for Win 3.x viruses, but I never managed to finish anything. It was a terrible platform.
Win32 viruses:
W32.Shrug - this was a direct-action virus that infected PE files (EXE and DLL) without looking at the suffix. It was
the first virus to use the TLS callback method to run the code before the entrypoint. It automatically selected the
correct text-encoding method (ANSI for Windows 9x or Unicode for Windows NT+). If the relocations were at the end of the
file, then the virus would move the relocations down and insert itself into the space. The virus also added random
amounts of garbage to the end of the file to interfere with scanners that look at the end of the file.
W32.OU812 - this was a direct-action virus that infected VB5 and VB6 EXE files without looking at the suffix. It was the
first virus to use the language extensions to run the code. It altered Visual Basic files to require that the virus DLL
was present on the system in order for the file to load. It automatically selected the correct text-encoding method
(ANSI for Windows 9x or Unicode for Windows NT+). If the relocations were at the end of the file, then the virus would
move the relocations down and insert itself into the space. The virus also added random amounts of garbage to the end of
the file to interfere with scanners that look at the end of the file.
W32.Chthon - this was a direct-action virus that infected PE files (EXE and DLL) without looking at the suffix. It was
the first native executable virus. It ran before the Windows GUI loads. Infected files used the TLS callback method to
run the code, just like Shrug. It was completely Unicode internally because it ran only on Windows NT+. If the
relocations were at the end of the file, then the virus would move the relocations down and insert itself into the
space. The virus also added random amounts of garbage to the end of the file to interfere with scanners that look at the
end of the file.
W32.EfishNC - this was my first attempt at a super Windows virus. It was a memory-resident virus that infected Windows
EXE files without looking at the suffix. It would infect files on all fixed and mapped network drives, and network
shares. It looked for network shares on the local network and also using random IP addresses. It automatically selected
the correct text-encoding method (ANSI for Windows 9x or Unicode for Windows NT+). If the relocations were at the end of
the file, then the virus would move the relocations down and insert itself into the space. The virus also added random
amounts of garbage to the end of the file to interfere with scanners that look at the end of the file. It was
entrypoint-obscuring and used a tiny (<=32 bytes!) oligomorphic decryptor. It was the first virus to be encrypted using
a simple substitution cipher. I thought that scanners could not break it, but I was wrong. There is an x-raying paper
from Virus Bulletin 2004 which describes how they did it. It's a good paper.
W32.Gemini - this was a memory-resident virus that infected PE files (EXE and DLL) without looking at the suffix. It
would infect files on all fixed and mapped network drives. It was the first virus for Windows that ran as two processes
watching each other. If either one process was modified or suspended or terminated, the other would create a new process
for it. It automatically selected the correct text-encoding method (ANSI for Windows 9x or Unicode for Windows NT+). If
the relocations were at the end of the file, then the virus would move the relocations down and insert itself into the
space. The virus also added random amounts of garbage to the end of the file to interfere with scanners that look at the
end of the file.
W32.EfishNC.B - this was EfishNC updated to use a polymorphic decryptor.
W32.Junkmail - this was my second attempt at a super Windows virus. It was EfishNC with a SMTP engine so it could send
mail. It was the first virus that would send e-mail using polymorphic SMTP headers. For that, I had the help of RT
Fishel who came out of retirement just for that project. The subject and message body were variable. The text was all
compressed to save space and also to make it hard to know what it could say. It knew all of the vulnerable IFrame types
(MS01-020). It could send in .BAT, OLE2, or PE formats. The .BAT part was polymorphic, too. RT Fishel wrote a
executable-ASCII base64 decoder that used no dictionary! That was 2002, and I think that still some scanners cannot
detect it.
W32.EfishNC.C - this was EfishNC.B updated to use a homophonic substitution cipher. Still they were able to break it.
The paper describes the weakness in my code, but I have never bothered to fix it.
W32.JunkHTMaiL - this was the first virus to use the self-executing MHTML exploit (MS03-014). It was based on Junkmail
but it sent only binary files. The base64 part was polymorphic, though.
W32.Charm - this was a direct-action infector of .CHM files. It would append an object to every .HTM file inside the
.CHM. The object has a codebase reference to the virus code in the .CHM. It was the first virus that could infect .CHM
files.
W32.Junkmail.B - this was Junkmail updated to use more polymorphic SMTP headers, and to include the unregistered suffix
exploit (MS05-016). I found a second CLSID that could be used to execute the code. I believe that this one is still
unpatched...
W32.Hidan - this was a memory-resident infector of PE files (EXE) without looking at the suffix. It was the first IDA
plugin virus. It would infect files that were loaded into IDA. It automatically selected the correct text-encoding
method (ANSI for Windows 9x or Unicode for Windows NT+). If the relocations were at the end of the file, then the virus
would move the relocations down and insert itself into the space. The virus also added random amounts of garbage to the
end of the file to interfere with scanners that look at the end of the file.
W32.Hidan.B - this was Hidan updated to support IDA 4.9+.
W32.Boundary - this was a direct-action infector of PE files (EXE) without looking at the suffix. It used a polymorphic
decryptor that contained no MOV instructions. All register initialisation was done using arithmetic instructions
(ADD/SUB/OR/XOR) only. It was entrypoint-obscuring through an altered entry in the import table. It used the fact that
if a file contains a valid Bound Import Table, then the import table can be altered on disk and Windows will not touch
it.
W32.Stutter - this was a virus that can relocate almost every one of its instructions. This was done before, of course,
in Ply and some others on DOS, but they used JMP to link the instructions. Stutter uses int 3 to link the instructions,
so there is no obvious way to know where is the next instruction. Only the int 3 handler cannot be separated like that,
so I made that oligomorphic instead - random register usage and "variable constants".
W32.Spiffy - this was the first virus that is a self-executing PIF. The structure is a PIF with the PE file that holds
the virus, then the host file appended to it. When you run the PIF, it runs a debug script which extracts and runs the
virus file, which extracts and runs the host. Then it searches for another file to infect in that way.
W32.WeakLNK - this was the first virus that is a self-extracting LNK. It is just Spiffy but using LNK format instead.
Macro/Script viruses:
VBS.Pretext, JS.Pretext - these were the first script viruses for Windows that could prepend to data files. The data
files would still run if you clicked on them. Great for .TXT or .JPG or .DOC, etc.
VBS.Conscrypt, JS.Conscrypt - these were direct-action viruses that infected VBS or JS files. They were the first
viruses to use variable skip-code encryption. The decryptor was polymorphic, too.
VBS/O97M.Macaroni - this was my first attempt at a super Office virus. It was the first virus that could infect Word,
Excel, PowerPoint, Access, Project, Visio. It knew how to switch off the macro protection and allow access to the Visual
Basic Object Model. It was written in 2005, but it could infect Office 2007 when it was released with no changes to the
code! Best of all, it used the same code for all of the applications, and only ~130 lines.
VBS/O97M.Macaroni.B - this was Macaroni updated to infect VBS files, too. The code was written so that the VBA code was
also the VBS code with no changes required, so it was easy.
VBS/O97M.Macaroni.C, JS/O97M.Macaroni.C - this was Macaroni.B, but this time without needing to access the Visual Basic
Object Model anymore. The JS version could infect .JS files as well.
VBS/JS.ACDC - this was the first virus that could be executed as either VBScript or JScript, depending only on the
suffix. I always wondered if this was possible because I had seen other kinds of cross-infectors, such as BAT/VBScript,
etc, but I had never seen VBS/JS before.
VBS.Screed, JS.Screed - this was a direct-action infector of VBS/JS files. It used the Scripting.Encoder object to
dynamically encrypt the virus body in a polymorphic way. It was the first virus to do this.
SB.Starbucks - this was an infector of all StarOffice and OpenOffice applications. It was the first virus for StarOffice
and OpenOffice. Necronomikon's Stardust viruses didn't work. He must have never actually run the code. Is funny that
Kaspersky guys said "we're not hyping it" even though they were, and "it infects files" even though it didn't.
IDC.ID10TiC - this was a direct-action infector of IDA IDC files. It was completely self-contained, unlike SPTH's
Gattaca virus, but my code was super simple and his code was super advanced. :)
JS.Unicycle, JS.Unicycle.B - these were the first script viruses to use the Unicode escaping for polymorphism. Since the
escaping is converted automatically by the scripting engines, there is no need for a decryptor. The first version had to
apply some rules to avoid escaping special characters, but the second version was able to escape everything except one
'(' and one ')'.
.NET viruses:
MSIL.Croissant - this was a direct-action infector of PE files (EXE) without looking at the suffix. It was inserting and
entrypoint-obscuring. It appended itself to a random routine, and moved everything else down in the file. It fixed up
all variables and tables. It did all this without relying on any of the built-in Compiler methods. It parsed the file
format itself and updated everything on its own. It could infect 32-bit and 64-bit files. It was the first virus that
could do all of that.
64-bit viruses:
W64.Shrug (IA) - this was the first 64-bit virus for Itanium. It was just a 64-bit version of Shrug. IA64 assembler is
really hard to write. I won't do that anymore.
W64.Shrug (AMD) - this was the first 64-bit virus for AMD64. Also just a 64-bit version of Shrug.
W32/W64.Shrug - this was the first 32-bit/64-bit cross infector. The 64-bit part was for AMD64 only. I never made an
Itanium version of it. Each part could infect both file formats.
W64.Boundary - this was the first polymorphic virus for AMD64. It was just a 64-bit version of Boundary, but it was
written to show that coding for both 32- and 64-bit platforms is very easy.
OSX viruses:
OSX.MachoMan (IA), OSX.MachoMan (PPC) - these were the first viruses for OSX that could directly infect Mach-O files.
Instead of OSX.Leap method, which used a resource fork, MachoMan can look inside the Mach-O format to add a new segment
and append the code directly. The segment was special because it was mapped to address 0. This made GDB to crash, and
IDA did not know about LC_UNIXTHREAD, so the virus code could not be seen in those tools.
New research - I can't say. I don't want to give away any hints about where I will strike next, but I have plans. ;)
EOF:
Whence you take names for your viruses usually?
rgb:
For some old ones, I try to play with the English sounds, because English is a funny language:
"HiAnMiT" sounds like "high and mighty".
"FarQRSOL" sounds like... "f... you a...hole".
"OU812" sounds like "oh you ate one too".
"EfishNC" sound like "efficiency".
"Conscrypt" sounds like "script" or "crypt" - it's a crypted script.
"Macaroni" sounds a bit like when I say "macro".
For Shrug, I could not think of a name and then was the deadline for submit to 29A zine.
For Chthon, it's an old English word that means "native", because it's a native virus. I don't know how to pronounce
it.
For some, I pick a word that includes something about the behaviour:
"Gemini" is the twins from the zodiac and it's two processes.
"Junkmail" because it sends e-mail that looks like rubbish.
"Pretext" because it prepends text.
"ACDC" because it goes both ways.
"Screed" because it uses the Microsoft Script Encoder.
"Starbucks" because it infects Star Office files.
"Boundary" because it uses the Bound Import Table.
"MachoMan" because it infects Mach-O files.
"Unicycle" because it uses Unicode escapes.
Sometimes, I pick a word that includes the letters of the file format:
"CHarM" for "CHM".
"hIDAn" for "IDA".
"sPIFfy" for "PIF".
"weakLNK" for "LNK".
I chose "Croissant" because AV guys called Benny's virus "Donut" and mine is tastier. :)
I don't know why I chose "Stutter".
EOF:
Which types of viruses you personally like? Do you have some favourite viruses except your ones?
rgb:
I like the viruses that demonstrate new techniques. These are things like Zombie's MistFall and Mental Driller's
Metaphor. CIH was interesting even though it was very simple. There are probably others, but there are too many
viruses these days.
EOF:
Which methods of infection do you prefer and which techniques do you like more? How you think, what we can expect
in the future?
rgb:
I like file infection that uses special methods, like insertion or multiple cavities. Perhaps all of the infection
methods have been found by now. What remains are new ways to get control or new ways to decrypt the code.
EOF:
How you think, what is most important in viruses or worms? New techniques, new holes or new platforms, which Anti-Virus
software don't protects yet?
rgb:
It depends on why the virus was written. For demonstration purposes, always new techniques or new platforms are the
most important. To spread quickly, new holes must be found. I don't care about Anti-virus, since they will always
detect it eventually.
EOF:
How you think, what we can expect in the future from worms? What in your point of view is more interesting
to code, worm or virus?
rgb:
The future of worms is the same thing forever - all the worms that we see now spread over e-mail or P2P or IM or
something like that, and they all look the same. When the reason for writing is to spread, then no-one thinks
about new techniques so everything is a copy of everything else.
I do the work to exercise my brain, so I don't care about spreading. That's why all of my works look different.
The virus is the more interesting to code because it is the harder to code, since it has to take care of more
things on the system and the file. A worm needs to know only a protocol for spreading and not much more.
EOF:
Which in your opinion platforms is unexplored yet? How you think, which platforms is the best for malware nowadays?
rgb:
I don't know about any platforms that are unexplored and still good for demonstrations. It is mostly applications
that are left, like recently WinHex supports scripts and now there is a virus for it, Maya 3D supports scripts and
now there is a virus for it. In the future, there will be new interesting hardware platforms. Maybe digital photo
frames could be infected and the payload could be to download our pictures instead.
The best platform for malware now is still 32-bit Windows. OSX is interesting because Safari has so many
vulnerabilities, and Linux is popular, but still the users prefer Windows. The 64-bit platform will become more
popular in the next years, but not yet.
EOF:
Whether something has changed since you are on the scene?
rgb:
Many top people quit, many top groups died. Some top people remain, some top groups, too, but the original people
got old and tired and there is almost no-one to replace them. Viruses for money has changed the motivations of
many people, too. It's no longer about techniques. The, how to say, finesse is lost.
EOF:
Sometimes we see, that you sign your works with "/defjam". Could you tell us more about this group, roy g biv?
rgb:
Defjam was my first group. When I joined, it was just one coder and one designer and me. In 1995, RT Fishel
joined, and wrote one virus. Then no-one did anything after that. I used the name in 2001 when I moved to Win32
because I always liked it, and I started using it again after 29A finished, but it was just me for all that time.
So if someone wants me to join their group, then I am available for that. ;)
EOF:
How you think, when and who invented the first self-replicating code?
rgb:
Maybe Victor Vyssotsky, Robert Morris Sr., and Douglas McIlroy with Darwin in 1961? This supported real programs
that could copy themselves within the environment.
John Conway in 1970 made his Game of Life, where the code is the cell. John von Neumann described before that
about self-replicating automata, but he never made any.
John Walker wrote Pervade in 1975. That might be the first program to copy itself to other machines.
EOF:
What is your point of view about commercial malware?
rgb:
It has destroyed the scene and it hurts real people.
EOF:
What is your opinion about Anti-Virus researchers?
rgb:
Some of them have incredible skills and I respect them for that. Sometimes I wish that I had found AV first,
maybe they would have hired me. Now, for sure not. :)
Some of them are just stupid people who love to see their name in the news.
EOF:
What are your future plans as a virus writer, roy g biv?
rgb:
More platforms, more file formats, more techniques. When I run out ideas then I will retire.
I have a text file with a list of techniques that I want to try. That list has 15 entries right now.
EOF:
This is your free space, roy g biv. Here you can send greetings and wishes for friends or someone else.
rgb:
I would like to greet these friendly people that have sent me nice mails over the years:
Active - Benny - Malum - Obleak - Prototype - Ratter - Ronin - RT Fishel - sars - SPTH - The Gingerbread Man -
Ultras - uNdErX - Vallez - Vecna - VirusBuster - Whitehead
EOF:
We are at the end of our interview, roy g biv. Many thanks for the great time, that you brought to us. ;)
Wish you all the best from the whole Electrical Ordered Freedom team. See you!
rgb:
Thank you to the EOF team for giving me the honour to be included in their zine.
Also for allowing me this opportunity to talk about myself for so many lines. :D
]]>